Enable WAF protection for an ALB instance
Enable Web Application Firewall (WAF) protection for your Application Load Balancer (ALB) instance to defend against common web exploits. A WAF-enabled ALB instance uses the WAF 3.0 SDK integration model, which decouples security inspection from traffic forwarding. This design avoids issues common in legacy inline WAF deployments, such as network latency, complex configurations, and single points of failure (SPOFs).
How it works
A WAF-enabled ALB instance uses the WAF 3.0 SDK integration model. In this model, WAF does not act as an inline network node (gateway) for traffic forwarding. Instead, it only extracts, inspects, and protects traffic. This approach avoids the network latency, configuration complexity (such as certificate synchronization), and potential single points of failure associated with the transparent proxy mode.
For more information, see Comparison of WAF 3.0 and WAF 2.0.
-
Request reception: The ALB instance receives a request from a client.
-
Out-of-band inspection: Before forwarding the request to a backend server, the ALB instance uses an embedded SDK to synchronously extract and send the traffic to a WAF 3.0 security inspection cluster.
-
Security analysis: WAF 3.0 analyzes the request content in real time based on your configured protection rules, such as those for core web protection and malicious IP blocking. It then returns an inspection result (allow or block) to the ALB instance.
-
Decision enforcement: The ALB instance acts on the inspection result received from the WAF cluster:
-
Allow: The ALB instance forwards the original request to the backend server.
-
Block: The ALB instance blocks the request and returns an interception page to the client, typically with a 403 status code. The request does not reach the backend server.
-
Usage notes
For WAF-enabled ALB instances:
-
Supported regions:
Area
Region
China
China (Chengdu), China (Qingdao), China (Beijing), China (Guangzhou), China (Hangzhou), China (Ulanqab), China (Shanghai), China (Shenzhen), China (Zhangjiakou), China (Hong Kong), China (Heyuan)
Asia Pacific
Philippines (Manila), Indonesia (Jakarta), Japan (Tokyo), Malaysia (Kuala Lumpur), Singapore, Thailand (Bangkok), South Korea (Seoul)
Europe & Americas
Germany (Frankfurt), US (Silicon Valley), US (Virginia), Mexico (Queretaro)
Middle East
Saudi Arabia (Riyadh), UAE (Dubai)
-
WAF-enabled ALB instances use the WAF 3.0 SDK integration model. If you have a WAF 2.0 instance in your account, you must first release the WAF 2.0 instance or migrate it to WAF 3.0.
By default, ALB does not add the X-Forwarded-Proto header to requests. After you release a WAF 2.0 instance, accessing the ALB instance directly may cause service issues such as infinite redirects because backend servers cannot identify the original protocol (HTTP or HTTPS). To prevent this issue, you must manually enable the X-Forwarded-Proto request header in the ALB listener configuration.
-
WAF-enabled ALB instances do not support the data leakage prevention feature of WAF.
Enable WAF protection for an ALB instance
After you enable WAF protection, the ALB instance is automatically integrated with your WAF instance. If you do not have a WAF instance, a pay-as-you-go WAF instance is automatically created.
WAF instances are deployed in regions within the Chinese Mainland and outside the Chinese Mainland. Your ALB instance integrates with a WAF instance in the same area.
Create a WAF-enabled ALB instance
Console
When you create an ALB instance, set Edition (instance fee) to WAF-enabled.
API
Call CreateLoadBalancer and set the LoadBalancerEdition parameter to StandardWithWaf to create a WAF-enabled ALB instance.
Enable WAF for an existing instance
You can enable WAF protection for Basic or Standard ALB instances by upgrading them to the WAF-enabled edition.
-
Before you enable WAF protection, make sure the instance is in the Running state.
-
The instance fee unit price varies by edition. The price shown on the buy page is final.
Console
-
Go to the ALB Instances page.
-
Hover over the
icon next to the ID of the target instance. In the Web Application Firewall section, click Enable WAF.
API
Call UpdateLoadBalancerEdition and set the LoadBalancerEdition parameter to StandardWithWaf to upgrade the ALB instance to the WAF-enabled edition.
View protection records
After you enable WAF protection for an ALB instance, WAF automatically creates a protected object with the -alb suffix and enables the core web protection rule by default. This rule automatically generates security reports that show its protection records.
To meet other security requirements, you can configure protection rules.
If multiple domain names resolve to the same ALB instance and you need to configure different protection rules for each domain name, you must add the domain names as protected objects.
Console
-
Go to the ALB Instances page.
-
Hover over the
icon next to the ID of the target instance. In the Web Application Firewall section, click View WAF Security Report.
Disable WAF protection
Disabling WAF protection means that traffic to your ALB instance is no longer protected by WAF. As a result, security reports will not include data for this traffic, and you will no longer be charged WAF request processing fees.
However, because the WAF instance and its protection rules still exist, you are still charged for the WAF service. To completely stop billing, you must disable WAF.
-
Disable WAF protection: After you disable WAF protection, your ALB instance is downgraded from WAF-enabled to Standard. This change does not affect your services.
-
Temporarily disable WAF: If many legitimate requests are incorrectly blocked, you can temporarily disable WAF protection to quickly restore your services.
-
After you temporarily disable WAF protection, the ALB instance remains a WAF-enabled instance. Traffic still flows through the WAF SDK that is embedded in the ALB instance but is no longer forwarded to the WAF cluster for inspection. Instead, the ALB instance directly forwards the traffic to backend servers.
-
Temporarily disabling WAF affects all protected objects associated with the WAF instance. Proceed with caution.
-
Console
Disable WAF protection
-
Go to the ALB Instances page.
-
Hover over the
icon next to the ID of the target instance. In the Web Application Firewall section, click Disable WAF.
Temporarily disable WAF
-
Go to the Protected Objects page in the WAF console.
-
In the upper-right corner of the page, turn off the WAF Protection Status switch to set the status to Disable.
API
Call UpdateLoadBalancerEdition and set the LoadBalancerEdition parameter to Standard to downgrade the ALB instance to the Standard edition.
Apply in a production environment
-
Canary testing: First, enable WAF protection for an ALB instance in a non-production environment that mirrors your production environment. Perform this action during off-peak hours. After you confirm that your services run as expected, enable protection for the ALB instance in your production environment.
-
Continuous monitoring: After you enable WAF protection, monitor your business metrics and network performance metrics. Check security reports and configure CloudMonitor notifications to stay informed about attacks and security events.
-
Rule tuning: Regularly review WAF interception logs, analyze false positives, and adjust protection rules to improve accuracy.
Billing
-
Instance fee:
Instance fee = Instance unit price (USD/hour) × Billing duration (hours) -
LCU fee:
Hourly LCU fee = max{LCUs for new connections, LCUs for concurrent connections, LCUs for processed data, LCUs for rule evaluations} × LCU unit price -
Internet data transfer fee:
-
The internet data transfer fee applies only to internet-facing ALB instances, not to internal instances.
-
Internet-facing ALB instances use Elastic IP Addresses (EIPs) or Anycast EIPs. You are billed separately for the associated EIP or Anycast EIP.
-
-
WAF 3.0 billing: WAF 3.0 supports the subscription and pay-as-you-go billing methods.
-
If you do not have a WAF instance, a pay-as-you-go WAF instance is automatically provisioned and you are billed for its usage when you create a WAF-enabled ALB instance.
-
If you have a subscription WAF 3.0 instance, you will not incur additional WAF fees when you create a WAF-enabled ALB instance.
-
FAQ
ALB integration with WAF 2.0
-
If you have a WAF 2.0 instance, you can integrate your internet-facing Basic and Standard ALB instances with the WAF 2.0 instance in transparent proxy mode. This feature is supported in the following regions: China (Hangzhou), China (Shanghai), China (Shenzhen), China (Chengdu), China (Beijing), and China (Zhangjiakou). Internal ALB instances cannot be integrated with WAF 2.0.
-
If you do not have a WAF 2.0 instance or have not activated WAF, your internet-facing and internal ALB instances both support the WAF 3.0 SDK integration model. In this case, you can create a WAF-enabled ALB instance.